Anonymous thrown into China-US cyberwar scandal

Members of the Anonymous movement including alleged ringleader-turned-informant Hector “Sabu” Monsegur may have played a crucial role in helping cybersecurity experts narrow in on the Chinese hackers profiled in a highly touted report released this week.

In a report published
Tuesday by Northern Virginia information security company Mandiant,
an elusive cybersquadron of hackers hired by China’s People’s
Liberation Army are linked to compromising as many as 141 companies
across 20 major industries in recent years, including a corporation
with access to Canada’s oil pipelines and entities of the United
States government.

At around 70 pages, the report offers an introduction into the
group, Unit 61398, and explains how computer experts at Mandiant
were about to come close to pin-pointing three agents within the
“Advanced Persistent Threat” group, or ATP1, that they believe have
participated in a covert cyberwar against the US on behalf of the
Chinese military.

Buried deep in the report, however, is evidence that Mandiant
didn’t do all the work alone: the authors of “Exposing One of
China’s Cyber Espionage Units” say that a 2011 hack perpetrated by
the loose-knit Anonymous collective has been instrumental in making
ground regarding the identity of the Far East hackers.

In the report, Mandiant offers a brief profile of three hackers
believed to be involved with ATP1: “uglygorilla,” “DOTA” and
“SuperHard.” But while the company admits that their investigation
into the unit has been underway for several years already, Mandiant
says information released by Anonymous in 2011 has only helped them
come closer to catching accused cybercriminals.

In 2011, Anonymous retaliated against so-called security firm
HBGary after hacktivists became aware that the company’s CEO, Aaron
Barr, had infiltrated the movement and planned to rat out the
identities of Anons to federal investigators. In response,
Anonymous waged an all-out war on HBGary and its associates,
hacking the company’s websites, stealing tens of thousands of
emails and compromising the online accounts registered to most of
the group’s staff. Among the sites targeted was rootkit.com, a
coding website founded by HBGary associate Greg Hoglund. After
Anons compromised accounts belonging to Barr, they used new-fangled
access to get into Hoglund’s corporate email and from there they
socially engineered a colleague of his in order to obtain access to
rootkit.com

In her 2012 book We Are
Anonymous, author Parmy Olson says Anon hackers “had
complete control of rootkit.com” and quickly attempted to
ravage the site in conjunction with other attacks waged at HBGary
and Mr. Barr.

“First they took the usernames and passwords of anyone who
had ever registered on the site, then deleted its entire contents.
Now it was just a blank page reading ‘Greg Hoglund = Owned,’”
Olsen writes.

Next, Anonymous publically released a file that contained the
usernames, passwords and other log-in credentials for every
registered account on rootkit.com. Among those, says Mandiant, were
log-ins for both “uglygorilla” and “SuperHard,” two identities
security experts believe to be registered to Chinese hackers
working in Unit 61398.

“[T]he disclosure of all registered ‘rootkit.com’ accounts
published by Anonymous included the user “uglygorilla” with the
registered email address uglygorilla@163.com. This is the same
email used to register for the 2004 PLA forum and the zone
hugesoft.org,” claims Mandiant, referring to the Chinese
military branch and another hacker-friendly website believed to be
founded by the person using the “uglygorilla” name,
respectively.

Mandiant says the trove of information didn’t run dry with just
that one link, though. Also included in the rootkit.com leaked
account information was the IP address uglygorilla used to sign up
for the website, which matched a Shanghai-area address all but
certainly tied to Unit 61398, as well as information about another
alleged Chinese hacker.

“Once again, in tracking [SuperHard] we are fortunate to have
access to the accounts disclosed from rootkit.com. The rootkit.com
account ‘SuperHard_M’ was originally registered from the IP address
58.247.237.4, within one of the known APT1 egress ranges,”
Mandiant reports.

Olson says the hack against HBGary was spearheaded by Hector
Xavier Monsegur, or “Sabu,”
the alleged ring-leader of the Anon sect LulzSec who was
arrested by the FBI several months later and has since become a
federal informant for
the agency. Monsegur is expected to be sentenced in a New York City
courtroom on Friday for a laundry list of criminal activity linked
to Anonymous, including hacking HBGary and gaining unauthorized
access to Hoglund’s site. Meanwhile, Mandiant says that the
infamous hugesoft.org zone website registered to uglygorilla has
remained continuously active, at least up until the release of
their report this week.

After his 2011 arrest, Monsegur allegedly aided authorities in
swooping up other hackers internationally. He is believed to have
been provided with a server by the FBI that was allegedly used by
activist Jeremy Hammond to upload files confiscated in late 2011
from private intelligence firm Stratfor. Hammond himself will be in
court this week for a hearing regarding that case.